inline hook ObReferenceObjectByHandle保护进程,看雪上的例子,c语言写的,编译错误LNK2019:unresolved external symbol _DriverEntry@8 referenced in function _GsDriverEntry@8。
#include <ntddk.h>
#include <WINDEF.H>
BYTE OriginalBytes[5]={0};
BYTE JmpAddress[5]={0xE9,0,0,0,0};
ULONG CR0VALUE;
extern POBJECT_TYPE *PsProcessType;
NTSTATUS ObReferenceObjectByHandle(
__in HANDLE Handle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PVOID *Object,
__out_opt POBJECT_HANDLE_INFORMATION HandleInformation
);
NTSTATUS MidObReferenceObjectByHandle(
__in HANDLE Handle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PVOID *Object,
__out_opt POBJECT_HANDLE_INFORMATION HandleInformation
);
InlineHook()
{
KIRQL Irql;
DbgPrint("Original ObReferenceObjectByHandle Address is 0x%x",ObReferenceObjectByHandle);
//保存原函数前5字节
RtlCopyMemory(
__in OriginalBytes,
__in ObReferenceObjectByHandle,
__in 5);
*(BYTE*)JmpAddress=(ULONG)MidObReferenceObjectByHandle-(ULONG)ObReferenceObjectByHandle+5;
//关闭内存写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
Irql=KeRaiseIrqlToDpcLevel();
RtlCopyMemory(
__in (BYTE*)ObReferenceObjectByHandle,
__in JmpAddress,
__in 5
);
KeLowerIrql(Irql);
//开启内存写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
_declspec (naked) NTSTATUS OriginalObReferenceObjectByHandle(
__in HANDLE Handle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PVOID *Object,
__out_opt POBJECT_HANDLE_INFORMATION HandleInformation
)
{
_asm{
mov edi,edi
push ebp
mov ebp,esp
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
}
}
NTSTATUS MidObReferenceObjectByHandle(
__in HANDLE Handle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PVOID *Object,
__out_opt POBJECT_HANDLE_INFORMATION HandleInformation
)
{
NTSTATUS status;
status=OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
if(status==STATUS_SUCCESS&&DesiredAccess==0x0001)
{
if(ObjectType==*PsProcessType)
{
if(_stricmp((char*)((ULONG)(*Object)+0x174),"notepad.exe")==0)
{
ObDereferenceObject(*Object);
return STATUS_INVALID_HANDLE;
}
}
}
return status;
}
InlineUnHook()
{
KIRQL Irql;
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
Irql=KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE*)ObReferenceObjectByHandle,OriginalBytes,5);
KeLowerIrql(Irql);
//开启写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
Unload(PDRIVER_OBJECT dricer)
{
InlineUnHook();
DbgPrint("Driver is Unloaded...\r\n");
}
NTSTATUS DriverEmpty(PDRIVER_OBJECT driver,PUNICODE_STRING reg_string)
{
InlineHook();
driver->DriverUnload=Unload;
}
驱动程序要有一个入口函数,程序被加载时自动调用该函数,在该函数中执行程序的初始化,函数名称为DriverEntry,原形为:
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
); 搞定了_stricmp写错了